[WindowsMobile] MSIL.Letum.A@mm - Mobilfunk-FAQ

Hangman · 25.06.2007, 01:07

Risiko: gering
Typ: Wurm
entdeckt am: 08. April 2006
auch bekannt als: keine Angabe

Information:

MSIL.Letum.A@mm is a worm written in Microsoft .NET's Microsoft Intermediate Language (MSIL) that can affect both Windows PC and Windows Mobile powered devices that have the .NET framework installed. The worm arrives as an attachment to a spoofed email that pretends to come from Symantec and also spreads through Usenet servers.

technische Details:

When MSIL.Letum.A@mm is executed, it performs the following actions:
Copies itself into a preexisting, randomly chosen folder with the following name:

Letum.exe

Adds the value:

"Letum" = "C:\[PATH TO WORM]\Letum.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

so that it is executed every time Windows starts.

Adds the value:

"Letum" = "C:\[PATH TO WORM]\Letum.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Retro

Gathers email addresses from .html files on the compromised computer.

Sends a copy of itself to the email addresses gathered, using it's own SMTP engine.

The email has the following characteristics:

From: Symantec Security Response

Subject:
One of the following:
Warning!
Virus Alert
Customer Support
Re:
Re:Warning
Letum
Virus Report

Message body:
One of the following:
Dear Users

Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and disinfect your computer from the malware.

Regards
Security Response
Hiya,

I've found this tool a couple of weeks ago, and after using it i was surprised on how good [REMOVED] malware. The engine it uses isnt to bad, but the searching speed is very fast for such a small size

Attachment: test.exe

Posts a copy of itself to any Usenet servers found under the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager

If no Usenet servers were found in the above key, it will use the following server:
news.microsoft.com

May display the following message:

Title: Name Entry Error
Text:
Dear [REMOVED]

[REMOVED] is a person not a [REMOVED] genetically modified food product. \nShe's not happy you called her that!

Regards

[Link nur für registrierte Mitglieder sichtbar.]

25.06.2007, 01:07	#1 (Permalink)
Hangman Administrator Name: Christian Handy: Nokia N95, FuSi Pocket Loox 720 Netzbetreiber: Vodafone Avatare sind nur für MFF-Mitglieder sichtbar! Bike Mania Champion! Registriert seit: 17.04.2006 Ort: Erfurt Beiträge: 2.770 Motto: S*x ist wie Sport: Man spielt 'ne halbe Stunde, schwitzt viel und hofft, daß man nichts ins Auge bekommt. Downloads: 341 Uploads: 325 Abgegebene Danke: 47 Erhielt 484 Danke für 265 Beiträge	[WindowsMobile] MSIL.Letum.A@mm Risiko: gering Typ: Wurm entdeckt am: 08. April 2006 auch bekannt als: keine Angabe Information: MSIL.Letum.A@mm is a worm written in Microsoft .NET's Microsoft Intermediate Language (MSIL) that can affect both Windows PC and Windows Mobile powered devices that have the .NET framework installed. The worm arrives as an attachment to a spoofed email that pretends to come from Symantec and also spreads through Usenet servers. technische Details: When MSIL.Letum.A@mm is executed, it performs the following actions: Copies itself into a preexisting, randomly chosen folder with the following name: Letum.exe Adds the value: "Letum" = "C:\[PATH TO WORM]\Letum.exe" to the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that it is executed every time Windows starts. Adds the value: "Letum" = "C:\[PATH TO WORM]\Letum.exe" to the registry subkey: HKEY_LOCAL_MACHINE\Software\Retro Gathers email addresses from .html files on the compromised computer. Sends a copy of itself to the email addresses gathered, using it's own SMTP engine. The email has the following characteristics: From: Symantec Security Response Subject: One of the following: Warning! Virus Alert Customer Support Re: Re:Warning Letum Virus Report Message body: One of the following: Dear Users Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and disinfect your computer from the malware. Regards Security Response Hiya, I've found this tool a couple of weeks ago, and after using it i was surprised on how good [REMOVED] malware. The engine it uses isnt to bad, but the searching speed is very fast for such a small size Attachment: test.exe Posts a copy of itself to any Usenet servers found under the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager If no Usenet servers were found in the above key, it will use the following server: news.microsoft.com May display the following message: Title: Name Entry Error Text: Dear [REMOVED] [REMOVED] is a person not a [REMOVED] genetically modified food product. \nShe's not happy you called her that! Regards [Link nur für registrierte Mitglieder sichtbar.] __________________ lesen - denken - posten

Themen-Optionen
Druckbare Version zeigen Jemanden per E-Mail auf dieses Thema hinweisen
Ansicht
Linear-Darstellung Zur Hybrid-Darstellung wechseln Zur Baum-Darstellung wechseln

Ähnliche Themen
Thema	Autor	Forum	Antworten	Letzter Beitrag
Virus: [WindowsMobile] WinCE.Duts.A	herkules4	PDA-Phones, PDAs, PPCs & Organizer	2	25.06.2007 21:40

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)